search

geonetwork / core-geonetwork

GeoNetwork is a catalog application to manage spatially referenced resources. It provides powerful metadata editing and search functions as well as an interactive web map viewer. It is currently used in numerous Spatial Data Infrastructure initiatives across the world.
http://geonetwork-opensource.org/
GNU General Public License v2.0
406 stars 482 forks source link

Apache Commons Text - CVE-2022-42889 (Text4Shell) #6631

Open wshelley opened 1 year ago

wshelley commented 1 year ago

Is there any guidance on the impact of CVE-2022-42889 (Text4Shell) in GeoNetwork?

It sounds like its much more difficult to exploit than the likes of Log4Shell issue earlier in the year. But would be useful to get confirmation that GeoNetwork is not affected.

Trivy is currently showing that the latest GeoNetwork version (3.12.7 or 4.2.1) has the vulnerable library:

trivy image geonetwork:4.2.1
2022-10-19T17:10:58.255+0100 INFO      Detecting jar vulnerabilities...

org.apache.commons:commons-text
CVE-2022-42889 
CRITICAL
1.6 -> 1.10.0
apache-commons-text: variable interpolation RCE                                                      
avd.aquasec.com/nvd/cve-2022-42889
Importance Critical
Severity Critical
CVSS v3 Score 9.8
CVE ID CVE-2022-42889
Systems Affected Apache Commons Text Vulnerability:
Description Apache Commons Text that gives unauthenticated attackers a way to execute code remotely on servers running applications with the affected component and allows RCE when applied to untrusted input due to insecure interpolation defaults
Further Information Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. The set of default Lookup instances included interpolators could result in arbitrary code execution or contact with remote servers." Affected versions:1.5 - 1.9  Please see the link for more detailed information of the vulnerability and recommendation for mitigation can be found on the “What to do” section: https://nakedsecurity.sophos.com/2022/10/18/dangerous-hole-in-apache-commons-text-like-log4shell-all-over-again/
Recommendations Upgrade to Apache Commons Text 1.10.0.which disables the problematic interpolators by default.
juanluisrp commented 1 year ago

GeoNetwork doesn't use any function from Apache commons-text directly in its source code. It's included in GN because it is a dependency of Geotools.

According with this PR (https://github.com/geotools/geotools/pull/4048) in the Geotools project versions of Geotools using common-text < 1.10.0 aren't affected because it only uses WordUtils.abbreviate(...) and WordUtils.capitalizeFully(), methods that don't do string interpolation.

In summary: GN is not affected by CVE-2022-42889 even when it includes a vulnerable commons-text version (1.6).

wshelley commented 1 year ago

Thank you @juanluisrp that answers my question and will provide the reassurance to our team 👍

ianwallen commented 1 year ago

@juanluisrp

FYI

Due to this issue, Docker hub is flagging the image as vulnerable.

image

Is it possible to exclude the jar/dependency if it is not used?

juanluisrp commented 1 year ago

No, Geotools doesn't use the vulnerable string interpolation but it still uses Common Text library. The way to fix this is to update our Geotools dependency with a version that doesn't rely in the vulnerable version of commons-text.

jodygarnett commented 1 year ago

To follow @juanluisrp direction the version of geotools to use on the 3.12 branch should be 26.x or newer.

Since this is raising flags from vulnerability scans.